I spoke with the Internet Explorer security team about the concerns you raised. While the discussions around timing characteristic potentially contributing to fingerprinting are interesting and raise valid questions, they all amount to game theory at this point. Demonstrably effective fingerprinting techniques, like the ones in use at Panopticlick [0] can chose from dozens of browser characteristics that are easily and reliably detectable. They don't need to use timing data, even if it could be demonstrated to be valuable.
Navigation Timing can be treated as a measure of network performance (redirect, DNS, TCP, request, response) and machine performance (unload, app cache, processing, onload). The machine performance information can already be measured independently of Navigation Timing. The network information is variable; the same user in different sessions isn't guaranteed to have the same timing information. Also, your colleague one office down may have very similar network timing information as you do.
>From a hosting server perspective, servers are already aware of all the connections made to them; clearing your cache does not always reset the connection. Also, even without timing information, servers are already aware of the IP addresses.
I don't believe we should restrict timing information in anonymous browsing modes (e.g., inPrivate, incognito), because then a site will definitely know that a user is visiting in an anonymous session. Today, anonymous browsing modes behave on the network the same way as a normal session (they just don't persists session information locally).
Thank you for raising your concern here. However, I don't feel that we need to make any changes to the specification at this time.
Thanks,
Jatinder
[0] http://panopticlick.eff.org/
-----Original Message-----
From: Wendy Seltzer [mailto:wseltzer@w3.org]
Sent: Tuesday, September 11, 2012 2:38 PM
To: public-web-perf@w3.org
Subject: [NavigationTiming] Privacy and fingerprintability
I know it's late in the process, but I wanted to add a privacy concern to the mix: Navigation timing can add to the fingerprintability of browsers. Even limited to same-origin, that origin's profiling of browser latency could link multiple browsing sessions in unexpected ways, hindering users' ability to browse anonymously. [0] (This is of particular concern to the Tor Project [1], which aims to provide strong anonymity through the Tor Browser Bundle [2] -- a uniformly pre-configured browser and onion-routed anonymized network connections.)
Noting that several of the Web Performance specs have fingerprinting implications, I wonder whether the group might consider the linking attack, distinct from private information disclosure. For example, if someone doesn't want a website to be able to correlate comments with a login ID, he might log out, clear cookies, and write under a pseudonym, but still be identifiable based on his browser timing connecting his would-be-anonymous activity to previous sessions.
As a general response, then, should there be a way to disable response to timing information requests? More broadly, might we consider a standard profile for anonymous browsing (incognito mode, private
browsing) that disables uniquely identifying features (despite the possible performance hit) to provide a larger anonymity set?
Thanks,
--Wendy
[0] See https://panopticlick.eff.org/ and https://panopticlick.eff.org/browser-uniqueness.pdf
[1] https://www.torproject.org/
[2] https://www.torproject.org/projects/torbrowser.html.en and https://www.torproject.org/torbutton/en/design/
--
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
http://wendy.seltzer.org/ +1.617.863.0613 (mobile)